Your message dated Sun, 22 Mar 2026 13:06:13 +0100
with message-id <[email protected]>
and subject line Re: Accepted ormar 0.23.1-1 (source) into unstable
has caused the Debian Bug report #1131494,
regarding ormar: CVE-2026-27953
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131494
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ormar
Version: 0.23.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ormar.
CVE-2026-27953[0]:
| ormar is a async mini ORM for Python. Versions 0.23.0 and below are
| vulnerable to Pydantic validation bypass through the model
| constructor, allowing any unauthenticated user to skip all field
| validation by injecting "__pk_only__": true into a JSON request
| body. By injecting "__pk_only__": true into a JSON request body, an
| unauthenticated attacker can skip all field validation and persist
| unvalidated data directly to the database. A secondary __excluded__
| parameter injection uses the same pattern to selectively nullify
| arbitrary model fields (e.g., email or role) during construction.
| This affects ormar's canonical FastAPI integration pattern
| recommended in its official documentation, enabling privilege
| escalation, data integrity violations, and business logic bypass in
| any application using ormar.Model directly as a request body
| parameter. This issue has been fixed in version 0.23.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27953
https://www.cve.org/CVERecord?id=CVE-2026-27953
[1] https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8
[2]
https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ormar
Source-Version: 0.23.1-1
On Sun, Mar 22, 2026 at 10:04:14AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sun, 22 Mar 2026 08:34:06 +0000
> Source: ormar
> Architecture: source
> Version: 0.23.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Edward Betts <[email protected]>
> Changes:
> ormar (0.23.1-1) unstable; urgency=medium
> .
> * New upstream release.
> * Refresh patch to fix failing tests.
> Checksums-Sha1:
> 1dba82db8da92ab3a756d184affdd87d7a0b6249 2538 ormar_0.23.1-1.dsc
> 680dc8a546ab850a003b23b2930c8b399c523cc6 407719 ormar_0.23.1.orig.tar.gz
> 0ae2e0309c9df6ac3660e6d476cf6e35e879e42d 4424 ormar_0.23.1-1.debian.tar.xz
> c1a57397586239aa65a3caa4604747aa49f0f596 6966 ormar_0.23.1-1_source.buildinfo
> Checksums-Sha256:
> da858e493e498f11a4ff5e790755de5c6bffa4a3f04297bf82725f11bf15f881 2538
> ormar_0.23.1-1.dsc
> 093a023c19c460f2ae8e66fda8ab5a916a8c10c27cc0bfac64679760b955665b 407719
> ormar_0.23.1.orig.tar.gz
> 4982c8758b5f7cad03bebcca96fa9b2a649ff103ba1690bea99a0dad25134b65 4424
> ormar_0.23.1-1.debian.tar.xz
> b0e21168ab157b372bef7e7ca246b77cf1b935e8b19331098eb913c6ad605482 6966
> ormar_0.23.1-1_source.buildinfo
> Files:
> 120d843279a3aeb26f61e9d191fab8a6 2538 python optional ormar_0.23.1-1.dsc
> 9d35641d590ccc4a55249c12410f24e4 407719 python optional
> ormar_0.23.1.orig.tar.gz
> 5d07edf16249e423e4a640770d563120 4424 python optional
> ormar_0.23.1-1.debian.tar.xz
> ef1731a3867ec2a18525b8161b1a9ed6 6966 python optional
> ormar_0.23.1-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAmm/uR8ACgkQlgWhCYxj
> uSrZTw/+KNEzuQ9m6tD31m6YZRsy/To9xu5qoAHr5G+iBDby+H4s7D1gUw4WWfKh
> 5dkTrj921lUsdRRXZFbpI1k8c6z1uwPj8+ih3V7ICvxaV9CRuvog8j5E2y6BNFKW
> TFC0PQNBdXzb5r5hudC4pRiwzjVq3KYZYJNOiP4/92JrjIppmtabkZ9B4jHPsa7s
> WkAvE8kiOJZyjwyY/UE+XyNbghQUvEIdemkwLtC80UUiMbaSzCLhzFtZsfzrX3Tl
> KHhcSn/+eprMtKqRP784jFslqbqO70U0EA3LjF9cetxrlJWZycodh9smCB7K9gRD
> 1b2Yip5HZVuBVBMfg2dKhwFV3Mz6atyQKPOqwlT95hOw19q7hnbEXOntqLu31ExN
> 6N1LdnzIGGeFsAZuEmsS1VGDwYd7xaXSajdeDM377e/4GmePmKjDxfU4fCw4FTyX
> G5dXdwPylQXf4BDmQbWhi/CdiyLp2ZLueCAG6RwBArSp7roYvylr8DwtIKdj6sKH
> qhKi2I5LKoZqS8QOhnNNwsKUNpMpD6dYgrRr3U1NVVm/JWbYWVgPsTOxR26FUWSc
> BxrAUf9ZRJHrWbfftdFRfZEvSeKWy4iDy/8wr81LfGkZpkTF0znOgCkQuscql4k5
> 4r17lS3qs90vkM8wP+/xbcXoU/j8DAlSZg2C6rBEFPL0B8FRCLI=
> =VzKD
> -----END PGP SIGNATURE-----
--- End Message ---
